Cyberattacks can cause a severe impact on power systems unless detected early. However, accurate and timely detection in critical infrastructure systems presents challenges, e.g., due to zero-day vulnerability exploitations and the cyber-physical nature of the system coupled with the need for high reliability and resilience of the physical system. Conventional rule-based and anomaly-based intrusion detection system (IDS) tools are insufficient for detecting zero-day cyber intrusions in the industrial control system (ICS) networks. Hence, in this work, we show that fusing information from multiple data sources can help identify cyber-induced incidents and reduce false positives. Specifically, we present how to recognize and address the barriers that can prevent the accurate use of multiple data sources for fusion-based detection. We perform multi-source data fusion for training IDS in a cyber-physical power system testbed where we collect cyber and physical side data from multiple sensors emulating real-world data sources that would be found in a utility and synthesizes these into features for algorithms to detect intrusions. Results are presented using the proposed data fusion application to infer False Data and Command injection-based Man-in- The-Middle (MiTM) attacks. Post collection, the data fusion application uses time-synchronized merge and extracts features followed by pre-processing such as imputation and encoding before training supervised, semi-supervised, and unsupervised learning models to evaluate the performance of the IDS. A major finding is the improvement of detection accuracy by fusion of features from cyber, security, and physical domains. Additionally, we observed the co-training technique performs at par with supervised learning methods when fed with our features.
翻译:常规的基于规则和基于异常的入侵探测系统(IDS)工具不足以探测工业控制系统(ICS)网络中的零日网络入侵,因此,在这项工作中,我们显示,从多个数据源中生成信息有助于识别网络引发的事件,减少假阳性。具体地说,我们介绍了如何识别和解决障碍,这些障碍可以阻止以聚合为基础的探测准确使用多种数据源。我们进行多源数据整合,以便在一个网络物理系统测试台进行网络和基于异常的入侵探测,我们收集来自多个传感器的网络和物理侧面数据,以模拟工业控制系统(ICS)网络中的零日网络入侵。因此,我们在这项工作中显示,从多个数据源中生成信息有助于识别网络引发的事件,减少假阳性。具体地说,我们介绍了如何识别和解决障碍,这些障碍,这些障碍可以防止将多个数据源准确用于基于聚合的网络物理特征准确性特征用于基于网络的检测。 我们进行了多源数据整合数据整合,在进行基于内部的测试之前,在进行系统测试之前,在进行数据整合后进行数据采集时,在进行数据整合后进行数据采集时,在进行数据处理时,在进行。